OSADL Project: SIL2LinuxMP

Rationale

The SIL2LinuxMP project aims at the certification of the base components of an embedded GNU/Linux RTOS running on a single-core or multi-core industrial COTS computer board. Base components are boot loader, root filesystem, Linux kernel and C library bindings to access the Linux kernel. With the exception of a minimal set of utilities (to inspect the system, manage files and start test procedures), user space applications are not included.

Certification rules

In general, various rules can be used when a system has to undergo certification for use in a safety-critical environment.

"Compliant development"

The most obvious certification rule is "compliant development" which means that the entire development process from the design and the first line of source code up to the final step of system building must follow the rules of the selected safety standard. Open Source is not developed this way – therefore, "compliant development" cannot be used for the Linux kernel.

"Proven in use"

Another, quite popular, rule is "proven in use". Unfortunately, this rule is far more popular than feasible, since the term "proven" only refers to a particular hardware and software version of a given system that must be monitored during a considerable amount of time. If even a slight detail of the system's hardware or software needs to be changed, data collection must be restarted. Thus, the procedure for "proven in use" is similarly expensive and time-consuming for conventional and Open Source projects. By no means can the Linux kernel be regarded as safe, simply because it is so widely used.

"Compliant non-compliant development"

A final rule that is less often used and only available in particular standards is "compliant non-compliant development". It often consists of two consecutive project periods of time. In the first period, arguments for a certain equivalence between the employed and a compliant development will be collected, and methods to supplement these arguments will be developed where required. In a subsequent period, the developed material and methods will be applied to individually specified hardware and software components. In addition, the systems will undergo specific testing to supplement areas where sufficient evidence for standard compliance could not be achieved. The SIL2LinuxMP certification will be largely based on "compliant non-compliant development".

Community approach

Since large parts of the selected certification procedure, namely the paper work to argue for the equivalence of the non-compliant development process, are the same for any Linux based system, a mixed community approach seems to be entirely appropriate. In consequence, OSADL has created a letter of intent and is inviting interested parties to express their willingness to collaborate. The project will be launched when sufficient participants will have signed the letter of intent. If you are interested, please download the below letter of intent, review, complete and sign it, and return it to the OSADL Safety Coordinator. If you have any questions, please contact the OSADL Safety Coordinator as well.